WO2019225216A1 - 判定方法、判定装置および判定プログラム - Google Patents
判定方法、判定装置および判定プログラム Download PDFInfo
- Publication number
- WO2019225216A1 WO2019225216A1 PCT/JP2019/016222 JP2019016222W WO2019225216A1 WO 2019225216 A1 WO2019225216 A1 WO 2019225216A1 JP 2019016222 W JP2019016222 W JP 2019016222W WO 2019225216 A1 WO2019225216 A1 WO 2019225216A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- attack
- request
- code
- server
- feature
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Definitions
- the present invention relates to a determination method, a determination device, and a determination program.
- the attack can be detected by WAF (Web Application Firewall), NIDS (Network-based Intrusion Detection System), etc., but it is necessary to investigate and verify a large number of alerts as to whether or not the attack was successful. Therefore, for example, in order to determine whether or not the attack was successful, the response corresponding to the attack request is inspected, and if there is a feature that appears when the attack is successful, it is determined that the attack is successful. If there is no feature appearing in, a technique for determining that the attack has failed can be considered (for example, see Non-Patent Document 1).
- the response corresponding to the attack request is subject to inspection, so if an attack trace (feature) appears in a response different from the response corresponding to the attack request, the success or failure of the attack is appropriately determined. There was a problem that it could not be determined.
- the present invention has been made in view of the above, and makes it easy to appropriately determine the success or failure of an attack even when a trace of the attack appears in a response different from the response corresponding to the attack request. For the purpose.
- the determination method of the present invention is a determination method for determining whether or not an attack to a server by an attack code is successful, and includes an attack request to the server.
- An attack type determining step for determining an attack type of the included attack code, and an emulation of the attack by the attack code to the server according to the determined attack type, and as a result of the emulation, an attack to the server
- a feature extraction step for extracting features that appear in the response from the server when successful, and a plurality of responses respectively corresponding to a plurality of requests to the server after the attack request have the extracted features, respectively Inspecting, at least one of the plurality of responses is the extracted feature If it is having, characterized in that it includes a success determining step determines that the attack by the attack code was successful.
- the determination device of the present invention is a determination device that determines whether or not an attack to a server by an attack code is successful, and is an attack type that determines an attack type of an attack code included in an attack request to the server Depending on the determined attack type and the determined attack type, the server performs emulation of the attack by the attack code, and appears as a response from the server when the attack is successful as a result of the emulation.
- a feature extraction unit for extracting features and a plurality of responses corresponding to a plurality of requests to the server after the attack request respectively check whether the extracted features have the extracted features, and at least one of the plurality of responses If one has the extracted features, the attack with the attack code is successful. Characterized in that a success determination unit which constant.
- the determination program of the present invention is a determination program for determining whether or not an attack to a server by an attack code is successful, and an attack type for determining an attack type of an attack code included in an attack request to the server
- emulation of an attack by the attack code to the server is performed, and when the attack succeeds to the server as a result of the emulation, it appears in a response from the server
- a feature extraction step for extracting features, and a plurality of responses respectively corresponding to a plurality of requests to the server subsequent to the attack request are inspected to have the extracted features, and at least one of the plurality of responses If one has the extracted features, the attack code Wherein the attack is to execute a success determining step determines that successful computer.
- FIG. 1 is a diagram illustrating an outline of operation of the determination apparatus according to the first embodiment.
- FIG. 2 is a diagram illustrating an outline of the operation of the determination apparatus according to the first embodiment.
- FIG. 3 is a diagram illustrating a configuration example of the determination apparatus in FIG. 1.
- FIG. 4 is a diagram illustrating an example of the keyword list for each attack type in FIG.
- FIG. 5 is a diagram for explaining processing for determining success or failure of an attack by the determination apparatus of FIG.
- FIG. 6 is a diagram for explaining processing for determining success or failure of an attack by the determination apparatus of FIG.
- FIG. 7 is a flowchart showing a processing procedure of the determination apparatus of FIG.
- FIG. 8 is a diagram for explaining the effect of the determination apparatus according to the first embodiment.
- FIG. 9 is a diagram for explaining the effect of the determination apparatus according to the first embodiment.
- FIG. 10 is a diagram for explaining the effect of the determination apparatus according to the first embodiment.
- FIG. 11 is a diagram illustrating a configuration example of the determination apparatus according to the second embodiment.
- FIG. 12 is a diagram illustrating processing for creating an input / output URL rule by the determination apparatus according to the second embodiment.
- FIG. 13 is a diagram illustrating processing for creating an input / output URL rule by the determination apparatus according to the second embodiment.
- FIG. 14 is a diagram illustrating processing for determining success or failure of an attack by the determination device according to the second embodiment.
- FIG. 15 is a diagram illustrating a configuration example of the determination apparatus according to the third embodiment.
- FIG. 16 is a diagram illustrating processing for creating a file name rule table by the determination apparatus according to the third embodiment.
- FIG. 17 is a diagram illustrating processing for determining success or failure of an attack by the determination device according to the third embodiment.
- FIG. 18 is a diagram illustrating a configuration example of a network including the determination apparatus according to each embodiment.
- FIG. 19 is a diagram illustrating a computer that executes a determination program.
- the determination apparatus 10 receives an attack request (1) to a web application (web server), and identifies an attack code and an attack type included in the attack request. Then, the determination device 10 executes the attack code with an emulator according to the identified attack type (for example, an attack type that exploits an OS (Operating System) command), and attacks the information output from the execution web server. Is extracted as a feature (for example, “root: *: 0: / bin / sh...”) That is output upon success (2).
- a feature for example, “root: *: 0: / bin / sh...”
- the determination apparatus 10 inspects the response (3) from the web server, and the response includes the feature extracted in (2) (for example, “root: *: 0: / bin / sh”). In this case, it is determined that the attack is successful ((4) Inspection result: Attack is successful).
- the determination apparatus 10 according to the first embodiment, as illustrated in FIG. 2, when there is an attack request, the extracted feature is not only a response to the attack request but also a response after that, and a predetermined response. All responses that meet the above condition are examined, and whether or not the extracted feature is included is determined. If the extracted feature is included, the attack is determined to be successful.
- the determination device 10 uses the extracted traces to check not only the response to the request but also the subsequent response to a plurality of requests.
- the success or failure of the straddling attack can be determined.
- the determination device 10 can appropriately determine the success or failure of an attack over multiple requests without modifying the existing system.
- the determination apparatus 10 includes a storage unit 11, an attack detection unit 121, an attack type determination unit 122, an attack code analysis unit (feature extraction unit) 123, a feature selection unit 124, and a success / failure determination unit 125.
- the attack type keyword list 111 is information indicating keywords included in the attack code of the attack type for each attack type.
- the attack type-specific keyword list 111 is referred to when the attack type determination unit 122 determines an attack type from keywords included in the attack code.
- attack types are, for example, attack types that exploit A.OS commands, B. attack types that exploit program code, attack types that exploit C.SQL commands (DB functions), such as SQL Injection, etc.
- D. Attack types that exploit HTTP responses (for example, XSS, Header Injection, etc.) and E. Attack types that exploit file operations (for example, directory traversal) are divided into five types.
- the name of the OS command is used as a keyword in the attack type A.
- the B. attack type uses a specific expression used in a programming language as a keyword.
- a keyword is a function unique to PHP such as print_r, var_dump, base64_decode, or a PHP specific expression ($ _GET, $ _POST, etc.).
- Java registered trademark
- Perl Perl
- Ruby Python
- the attack type B. maintains a keyword list by attack type for each programming language. At this time, information indicating which programming language corresponds is held as a sub attack type, for example, as shown in FIG.
- the keywords are SQL command names (select, update, insert, drop, etc.) and characteristic expressions for DB access. For example, for MySQL, information_schema, @@ version, mysql, etc. Further, in the attack type of D., a specific expression (alert, onclick, etc.) used in HTML or Javascript (registered trademark) is used as a keyword. In addition, the E. attack type uses a specific expression (../, etc.) used in a directory traversal attack as a keyword.
- the feature candidate DB 112 stores information (feature candidates) output from the web server as a result of attack code emulation by the attack code analysis unit 123.
- the request / response DB 113 stores requests to various web applications (web servers) and responses from various web applications (web servers).
- the request / response DB 113 also stores information to be referred to when the feature selection unit 124 excludes words (universal words) that frequently appear in normal responses from the feature candidates. Good.
- the request / response DB 113 is created by acquiring a response in a test environment in which it is guaranteed that no attack will occur. Alternatively, it is created using a response corresponding to a request that is not detected by the attack detection unit 121.
- Feature DB 114 stores a feature output from the web server when an attack with an attack code is successful. Specifically, the feature DB 114 stores the features selected by the feature selection unit 124 from the feature candidates stored in the feature candidate DB 112. The feature stored in the feature DB 114 is referred to when the success / failure determination unit 125 determines whether or not the attack is successful based on a response from the web server.
- the attack detection unit 121 determines whether or not the request to the web server is an attack (attack detection).
- Attack detection algorithms include existing signature detection algorithms (eg, Snort (https://www.snort.org/), Bro (https://www.bro.org/)), and anomaly detection algorithms. (For example, Detecting Malicious Inputs of Web Application Parameters Using Character Class Sequences, COMPSAC, 2015) may be used.
- the attack type determination unit 122 determines the attack type for the attack code included in the request determined to be an attack by the attack detection unit 121.
- the attack type determination unit 122 determines which of the five attack types (A. to E. of the above attack types) considered to be particularly important in the attack against the web application. The determination of the attack type here is performed based on which attack type keyword shown in the attack type keyword list 111 (see FIG. 3) matches the keyword included in the attack code.
- the attack type determination unit 122 refers to the keyword list 111 for each attack type, and if “cat” is included in the attack code, the attack code is A. Attack type (Attack type exploiting OS command). ). Further, if “print_r” is included in the attack code, the attack type determination unit 122 uses the attack code as an attack type of B. (Attack type that exploits the program code), and among them, attacks using php It is determined that it is a type.
- the attack type determination unit 122 When the attack code matches a plurality of attack type keywords shown in the attack type keyword list 111 (see FIG. 3), the attack type determination unit 122, for example, at the beginning of the attack code (most in the attack code) It is determined that the attack type of the keyword that appears in the left position).
- attack type keyword list 111 will be “php”, which is the keyword for the attack type of A.
- attack type keyword “var_dump” appears.
- the attack type determination unit 122 determines that “php” appears earlier than “var_dump” in the above attack code, and thus is the attack type of A.
- the attack type determination unit 122 refers to the attack type keyword list 111 and determines that the attack code does not match any attack type.
- the attack code analysis unit 123 extracts a feature (output) that appears in a response from the web server when the attack code is executed by performing dynamic analysis using an emulator on the attack code.
- the attack code analysis unit 123 uses a emulator corresponding to the attack type of the attack code determined by the attack type determination unit 122 to emulate an attack on the web application by the attack code. Then, the attack code analysis unit 123 extracts the output that appears in the response to the attack in the attack code emulation as a feature candidate that appears when the attack is successful.
- the emulator corresponding to each attack type is created in advance using, for example, a debugger or an interpreter, and the attack code analysis unit 123 selects an emulator corresponding to the attack type from the emulator created in advance. select.
- the attack code analysis unit 123 extracts a feature (output) that appears in a response to a request when the attack code is executed as follows, for example.
- the attack code analysis unit 123 can execute an OS command (for example, a Windows (registered trademark) command prompt, Linux (registered trademark) ) Bash or an emulator that can emulate a command) and execute the attack code as a command.
- OS command for example, a Windows (registered trademark) command prompt, Linux (registered trademark) ) Bash or an emulator that can emulate a command
- the attack code analysis unit 123 causes the bash command to execute the command specified by the -c argument, such as “bash -c“ cat / etc / passwd; ””. Then, the attack code analysis unit 123 extracts the contents of the standard output and standard error output by executing the command as feature candidates. For example, for the attack code “cat / etc / passwd;”, the attack code analysis unit 123 uses the standard output information “root: *: 0: / bin / sh...” and the standard error output “none” as feature candidates. Extract as
- the attack code analysis unit 123 executes the attack code using an interpreter or emulator appropriate for the programming language. To do.
- the attack code analysis unit 123 uses the -r argument to the php interpreter as "php -r" print ('123456789'); die (); " Run the specified code. Also, if the attack code is a python code, the attack code analysis unit 123 uses the code specified by the -c argument to the python interpreter, such as "python -c" import sys; print 123456789; sys.exit () "" Let it run.
- the attack code analysis unit 123 extracts the contents of the standard output and standard error output as feature candidates. For example, in the case of a php code, information of standard output “123456789” and standard error output “none” is extracted as a feature candidate for the attack code “print (‘ 123456789 ’); die ();”.
- the attack code analysis unit 123 can execute an SQL statement against the DB.
- the attack code is executed using a terminal or emulator.
- the attack code analysis unit 123 shapes the SQL sentence. For example, the attack code analyzing unit 123 changes the SQL sentence so that the SELECT phrase appears at the beginning of the attack code by deleting the part of the SQL sentence before the SELECT phrase.
- the keyword that the attack code analysis unit 123 adjusts so that it appears first among the phrases of the SQL sentence may be a phrase other than the SELECT phrase (for example, a phrase such as update, delete, drop, etc.). It is assumed that the phrase is given in the attack type keyword list 111 (see FIG. 3).
- the attack code analysis unit 123 extracts the contents of the standard output and standard error output by executing the formatted SQL statement as feature candidates. For example, the attack code analysis unit 123 formats the attack code “’ union select 123456789- ”into“ select 123456789 ”. Then, the attack code analysis unit 123 extracts information such as the standard output “123456789” and the standard error output “none” by executing the shaped attack code as feature candidates.
- the attack code analysis unit 123 uses the attack code itself as a response as a response due to the nature of the attack. Therefore, the attack code itself is extracted as a feature candidate.
- the attack code analysis unit 123 uses “ ⁇ script> alert (1) ⁇ / script>” as a feature candidate. Extract.
- the attack code is an attack code “ ⁇ r ⁇ nSet-Cookie: 1234;” by Header Injection, the attack code analysis unit 123 extracts “ ⁇ r ⁇ nSet-Cookie: 1234;” as a feature candidate.
- the attack code analysis unit 123 searches the OS for the file name that appears in the attack code, and The contents of the file with the file name are extracted as feature candidates.
- the attack code analysis unit 123 searches the OS for the file with the file name that appears in the attack code.
- the contents “root: *: 0: / bin / sh...” are extracted as feature candidates.
- the attack code analysis unit 123 can execute emulation according to the attack type of the attack code, and extract a feature (feature candidate) when the attack by the attack code is successful. Note that the feature candidates extracted by the attack code analysis unit 123 are stored in the feature candidate DB 112.
- the feature selection unit 124 excludes candidates that are inappropriate as features from the feature candidates extracted by the attack code analysis unit 123. Specifically, the feature selection unit 124 excludes from the feature candidates stored in the feature candidate DB 112, feature candidates that are likely to be too universal to be used for the determination of the success or failure of the attack.
- the feature selection unit 124 excludes feature candidates whose character string length is extremely short (for example, the character string length is 2 or less) from the feature candidates stored in the feature candidate DB 112, and then outputs a normal response. Are also stored in the feature DB 114 as features at the time of successful attack.
- the feature selection unit 124 excludes feature candidates “1, 2” having a character string length of a predetermined value (eg, 2) or less from the feature candidates “1, 2, title, page, 123456789”. After that, the feature selection unit 124 excludes universal words from “title, page, 123456789” from which feature candidates whose character string length is a predetermined value (for example, 2) or less are excluded.
- a predetermined value eg, 2
- the feature selection unit 124 refers to the request / response DB 113 and excludes feature candidates whose appearance count in the request / response DB 113 is one or more from the feature candidates “title, page, 123456789”. Then, the feature selection unit 124 stores the feature candidates remaining as a result of the exclusion in the feature DB 114 as features at the time of successful attack.
- the response “ ⁇ html> ⁇ title> My blog page ⁇ / title> ⁇ p> Hello world! Date: 2017/4/1 ⁇ / p> ⁇ / html>” is stored in the request / response DB 113.
- the feature selection unit 124 excludes the feature candidates “title, page” appearing in the response from the feature candidates “title, page, 123456789”. Then, the feature selection unit 124 stores the feature candidate “123456789” that remains as a result of the exclusion in the feature DB 114 as a feature at the time of a successful attack.
- the feature selection unit 124 uses the request / response DB 113 when excluding universal words from the feature candidate DB 112, but uses a list of universal words prepared in advance. It is good as well.
- the feature selection unit 124 excludes feature candidates extracted by the attack code analysis unit 123 from feature candidates with extremely short character string lengths and universal word feature candidates as described above. May be performed, or only one of them may be performed.
- the success / failure determination unit 125 checks whether or not a plurality of responses respectively corresponding to a plurality of requests to the web server after the attack request have the extracted features, and at least one of the plurality of responses is extracted. It is determined that the attack by the attack code is successful. On the other hand, the success / failure determination unit 125 determines that the attack has failed when the response does not include the feature stored in the feature DB 114. Then, the success / failure determination unit 125 outputs a determination result of success / failure of the attack (success / failure).
- the success / failure determination unit 125 acquires the trace (feature) extracted from the attack request from the feature DB 114, and determines the success or failure of the attack by checking the presence / absence of the trace in the response.
- the success / failure determination unit 125 checks whether or not a plurality of responses respectively corresponding to a plurality of requests transmitted to the web server within a predetermined threshold T time from the attack request have the extracted features. When at least one of them has the extracted feature, it is determined that the attack by the attack code is successful. Specifically, when there is an attack request, the success / failure determination unit 125 displays not only the response to the attack request but also the source IP address within a predetermined threshold T time as the attack request. The attack trace is inspected for all responses. In addition to the time condition, until the number of requests or the number of traces held in the feature DB 114 reaches the threshold, the attack trace is inspected for all responses with the same source IP address as the attack request. May be.
- FIGS. 5 and 6 are diagrams for describing processing for determining success or failure of an attack by the determination device of FIG.
- the request 1 when the request 1 is determined to be an attack and an attack trace is extracted, it indicates which response is the inspection target.
- the responses to be inspected are 1, 2, and 4. Since response 3 is different from the source IP address of the attack request, it is not subject to inspection, and response 5 is not subject to inspection because T time has passed since request 1.
- the reason for limiting the source IP address in this way is to improve the processing performance by reducing the number of response candidates to be verified as much as possible.
- this is an example in which it is determined that the attack is successful because the attack by the request 1 matches the attack trace in the response 3. That is, in the success / failure determination unit 125, when there is an attack request 1, not only the response 1 to the request 1 but also the subsequent response 3 is inspected for the extracted trace so that an attack over multiple requests can be performed. Success or failure can be determined.
- the attack detection unit 121 of the determination apparatus 10 determines whether or not the request to the web application is an attack (S1). If the request is an attack (Yes in S1), the attack type determination unit 122 refers to the attack type keyword list 111 to determine the attack type of the attack code included in the request (S2). . If the attack type determination unit 122 can determine the attack type (Yes in S3), the attack code analysis unit 123 executes the emulation of the attack code based on the determined attack type, and outputs the information output as a result of the execution. Then, an attack code analysis process is performed for extracting as a feature candidate when the attack is successful (S4). If the attack detection unit 121 determines in S1 that the request to the web application is not an attack (No in S1), the process ends.
- the feature selection unit 124 determines the success or failure of the feature candidate from the feature candidates extracted in S4 by excluding feature candidates that are inappropriate as features (for example, universal words). A feature to be used is selected (S5). The feature used for determining the success or failure of this attack is stored in the feature DB 114, for example.
- the success / failure determination unit 125 determines whether or not a predetermined time T has elapsed since the attack request was made (S7). As a result, if a certain time T has elapsed since the attack request has been made (Yes in S7), the success / failure determination unit 125 notifies the external device or the like that the attack has failed (S10). Further, if the predetermined time T has not elapsed since the attack request has been made (No in S7), the success / failure determination unit 125 determines whether or not the feature stored in the feature DB 114 is included in the response of the arrived request ( S8). For example, the success / failure determination unit 125 determines whether or not the attack is successful by comparing the feature stored in the feature DB 114 with a response from a web application that is a determination target of the success or failure of the attack.
- the success / failure determination unit 125 determines that the feature stored in the feature DB 114 is included in the response of the incoming request (Yes in S8), the external device or the like is notified that the attack has been successful. (S9). If it is determined that the feature stored in the feature DB 114 is not included in the response of the incoming request (No in S8), the process returns to S7 and the above processing is repeated. That is, the success / failure determination unit 125 determines that the attack to the web application has been successful when the response stored within the feature DB 114 is included in the response within a certain time T after the attack request is received.
- attack type determination unit 122 cannot determine the attack type in S3 (No in S3), or if it is determined in S6 that no feature exists in the feature DB 114 (No in S6), the determination device 10 The success / failure determination of the attack is not possible and is notified to an external device or the like (S11).
- Typical attacks that straddle multiple requests where the trace of the attack appears in a response different from the response corresponding to the attack request include, for example, Second order SQL injection, Stored XSS, Blind command injection, Command execution via File Upload Etc. exist.
- Second order SQL injection Stored XSS
- Blind command injection Command execution via File Upload Etc.
- This attack is an attack technique that can be used even when there is a vulnerability that can execute arbitrary commands / codes, even if the output is restricted by the application specifications. For example, when the request (1) illustrated in FIG. 9 is attacked, “; cat / etc / passwd”, which is the attack code portion inserted by the attacker, is executed, and an unintended file (/ etc / passwd) Leaks content.
- the above attack code may not be able to output the file contents. Therefore, as shown in the request (1), the attacker can leak the execution result of the attack code by writing the contents of the file as a file in a public directory once and then accessing the file directly (for example, See references).
- the request (1) contains the attack code, but the content of the file / etc / passwd, which is a trace of the attack success, appears in the response (2).
- the response corresponding to the attack request Even if a trace of an attack appears in a response different from, the success or failure of the attack can be determined appropriately.
- This attack technique exploits the ability to upload files. For example, in applications that manage content such as blogs, there is a function to upload files only to media such as images, but due to implementation vulnerability, files that can be executed on servers such as PHP may also be uploaded. is there.
- the request (1) illustrated in FIG. 10 uses the file exploit.jpg.php in which the attack code “ ⁇ ? Php system (“ cat / etc / passwd ”)?>” Is written via /upload.php. Uploading. If you know that the uploaded file will be saved in the / uploadfile directory, you can execute the attack code by accessing it as shown in Request (2) below. In this attack, as shown below, the attack code is included in the request (1), but the contents of the file / etc / passwd, which is a trace of the attack success, appears in the response (2).
- the response corresponding to the attack request Even if a trace of an attack appears in a response different from, the success or failure of the attack can be determined appropriately.
- the inspection target is narrowed down by providing the restriction based on the transmission source IP address.
- the attacker depending on the attacker, there is a possibility of access using a different IP address for each request. Existence and omission of inspection. For this reason, the omission of inspection can be reduced by eliminating the restriction of the source IP address, but the number of inspection objects becomes enormous and affects the processing performance.
- the inspection target may be narrowed down by providing individual restrictions according to the attack method.
- the attack method by Second order SQL injection or Stored XSS
- the relation between input and output is ruled from the contents of the request and response in advance, and the inspection target is narrowed down by setting rules that restrict the request URL.
- the determination apparatus 10 in this case will be described as the determination apparatus 10a of the second embodiment.
- the same components as those in the above-described embodiment are denoted by the same reference numerals and description thereof is omitted.
- the determination device 10 a according to the second embodiment has an input / output URL rule table 115 and an input / output URL rule creation unit 126 as compared with the determination device 10 according to the first embodiment. Different.
- the input / output URL rule table 115 is a table that defines a set of an input URL and an output URL as an input / output URL rule for searching for a request to be inspected.
- the input / output URL rule creation unit 126 takes the URL path portion of the request including the predetermined keyword as the input URL from the past request and response, and outputs the URL path portion of the request corresponding to the response including the predetermined keyword as the output URL. And a set of the input URL and the output URL is created as an input / output URL rule for searching for a request to be inspected.
- the input / output URL rule creation unit 126 creates a URL rule that receives an input from the user and a URL that is processed and output from the past request and response.
- a specific processing example of the input / output URL rule creation unit 126 will be described below.
- the input / output URL rule creation unit 126 extracts a parameter value from the request URL, and determines whether or not the input is a character string serving as a keyword.
- the character string that is a keyword is a character string that is a unique expression excluding a general expression of the application or a universal expression as HTML.
- id parameters 1, 2, and 3 are general expressions, but contents 1234abcd and 5678wxyz are keywords.
- the input / output URL rule creation unit 126 sets the URL path portion of the request including the keyword as the input URL.
- the URL path part of the request for the response including the keyword is set as the output URL.
- the input URL is /edit.php
- the output URL is /view.php.
- the input / output URL rule creation unit 126 aggregates the correspondence between the input URL and the output URL as one tuple (input URL, output URL), and when the number of occurrences of the tuple appears more than a threshold N, the input / output URL rule table 115.
- the input / output URL rule table 115 as illustrated in the example of FIG. 13, a set of input URL and output URL stored by the input / output URL rule creation unit 126 is stored.
- the success / failure determination unit 125 requests that match the output URL corresponding to the input URL among the requests to the web server after the attack request. It is determined whether the response corresponding to 1 has the extracted feature. If the response has the extracted feature, it is determined that the attack by the attack code is successful.
- the success / failure determination unit 125 checks whether the URL path of the attack request exists in the input URL of the input / output URL rule table 115. If there is a success / failure determination unit 125, only the response of the URL path of the request that matches the output URL corresponding to the input URL is subject to inspection. For example, in the case of the input / output URL rule illustrated in FIG. 13, if the URL path of the attack request is /edit.php, only the response of the request whose request URL path is /view.php is inspected.
- the attack by request 1 matches the attack trace in response 3, it is determined that the attack was successful.
- the input / output URL rule table 115 uses the one illustrated in FIG.
- the request 3 has a transmission source IP address different from that of the request 1, so that it is excluded from inspection and a detection failure has occurred.
- the determination apparatus 10a of the embodiment since the response of the request whose request URL path is /view.php is inspected, it is possible to correctly determine that the request 3 becomes an inspection target and the attack has been successful.
- the inspection target is narrowed down by focusing on the input / output URL.
- the determination apparatus 10a of the second embodiment cannot cope with this.
- these attack methods use a file, it is possible to narrow down the inspection target by comparing the file name to be created and the URL of the request.
- the determination apparatus 10 in this case will be described as the determination apparatus 10b of the third embodiment.
- the same components as those in the above-described embodiment are denoted by the same reference numerals and description thereof is omitted.
- the determination device 10 b of the third embodiment is different from the determination device 10 a of the second embodiment in that it includes a file name rule table 116 and a file name rule creation unit 127.
- the file name rule table 116 is a table that prescribes the file name created from the attack code as a file name rule for searching for a request to be inspected.
- the file name rule creation unit 127 extracts a file name created from the attack code, creates the extracted file name as a file name rule for searching for a request to be inspected, and stores it in the file name rule table 116. To do.
- the attacker creates a file using the OS redirection function, etc., and therefore extracts the file name following the redirect expression. For example, if the attack code is “cat / etc / passwd> / var / www / secret”, the redirect expression is “>” and the subsequent file name is secret. As illustrated in FIG. 16, the secret is stored in the file name rule table 116.
- the success / failure determination unit 125 checks whether the response corresponding to the request including the file name of the file name rule among the requests to the web server after the attack request has the extracted feature. It is determined that the attack by the attack code is successful. In other words, the success / failure determination unit 125 searches the request URL to see if it exists in the file name rule table 116, and only if the request is present, the response of the request is to be examined.
- FIG. 17 is an example in which it is determined that the attack is successful because the attack by request 1 matches the attack trace in response 3.
- secret is stored as a file name rule in the file name rule table 116.
- the request 3 has a transmission source IP address different from that of the request 1, so that it is excluded from inspection and a detection failure has occurred.
- the URL of request 3 includes secret, and request 3 is an inspection target, so that it is correctly determined that the attack was successful.
- the attack code output can be the inspection target even for the attack through the file, and the detection omission is detected. It is possible to reduce.
- the attack detection unit 121 in the determination devices 10, 10 a, and 10 b described in each embodiment may be installed outside the determination device 10.
- it may be realized by an attack detection device such as WAF installed outside the determination devices 10, 10a, and 10b.
- the determination apparatus 10, 10a, 10b is good also as a structure (inline structure) directly connected with the web server used as the determination target of an attack success, or FIG.18 (b).
- a configuration (tap configuration) in which a web server is connected via an attack detection device such as WAF may be adopted.
- each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated.
- the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.
- all or a part of each processing function performed in each device may be realized by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by wired logic.
- the information processing apparatus can function as the determination apparatus 10 by causing the information processing apparatus to execute the program provided as package software or online software.
- the information processing apparatus referred to here includes a desktop or notebook personal computer.
- the information processing apparatus includes mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone System), PDA (Personal Digital Assistants), and the like.
- the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
- the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- the hard disk drive interface 1030 is connected to the hard disk drive 1090.
- the disk drive interface 1040 is connected to the disk drive 1100.
- a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example.
- a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050.
- a display 1130 is connected to the video adapter 1060.
- the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094.
- Various data and information described in the above embodiment are stored in, for example, the hard disk drive 1090 or the memory 1010.
- the CPU 1020 reads the program module 1093 and program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.
- the program module 1093 and the program data 1094 related to the above determination program are not limited to being stored in the hard disk drive 1090.
- the program module 1093 and the program data 1094 are stored in a detachable storage medium and the CPU 1020 via the disk drive 1100 or the like. It may be read out.
- the program module 1093 and the program data 1094 related to the above program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and via the network interface 1070. May be read by the CPU 1020.
- LAN Local Area Network
- WAN Wide Area Network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
[概要]
図1および図2を用いて、第1の実施形態の判定装置10の動作概要を説明する。まず、判定装置10は、例えば、図1に示すように、webアプリケーション(webサーバ)への攻撃リクエスト(1)を受信すると、この攻撃リクエストに含まれる攻撃コードと、攻撃タイプとを特定する。そして、判定装置10は、特定した攻撃タイプ(例えば、OS(Operating System)コマンドを悪用する攻撃タイプ)に応じたエミュレータで攻撃コードを実行し、実行の結果のwebサーバから出力される情報を攻撃の成功時に出力される特徴(例えば、「root:*:0:/bin/sh…」)として抽出する(2)。
次に、図3を用いて判定装置10の構成を説明する。判定装置10は、記憶部11と、攻撃検知部121と、攻撃タイプ判定部122と、攻撃コード解析部(特徴抽出部)123と、特徴選定部124と、成否判定部125とを備える。
次に、図7を用いて、判定装置10の処理手順を説明する。まず、判定装置10の攻撃検知部121は、webアプリケーションへのリクエストが攻撃か否かを判定する(S1)。ここで、当該リクエストが攻撃であれば(S1でYes)、攻撃タイプ判定部122は、攻撃タイプ別キーワードリスト111を参照して、当該リクエストに含まれる攻撃コードの攻撃タイプを判定する(S2)。攻撃タイプ判定部122が攻撃タイプを判定可能な場合(S3でYes)、攻撃コード解析部123は、判定された攻撃タイプに基づき、攻撃コードのエミュレーションを実行し、実行の結果出力された情報を、攻撃成功時の特徴候補として抽出する攻撃コード解析処理を行う(S4)。なお、S1において攻撃検知部121がwebアプリケーションへのリクエストは攻撃ではないと判定した場合(S1でNo)、処理を終了する。
このような判定装置10によれば、攻撃リクエストに対応するレスポンスとは異なるレスポンスに攻撃の痕跡が現れる場合であっても、攻撃の成否を適切に判定することができるという効果を奏する。
編集:GET /edit.php?id=1&content=My first post
閲覧:GET /view.php?id=1
参考文献:Commix: Detecting & Exploiting Command Injection Flaws.
https://www.blackhat.com/docs/eu-15/materials/eu-15-Stasinopoulos-Commix-Detecting-And-Exploiting-Command-Injection-Flaws.pdf
上記した第1の実施形態の判定装置10では、送信元IPアドレスによる制約を設けることによって検査対象を絞り込んでいたが、攻撃者によってはリクエスト毎に異なるIPアドレスを使用してアクセスする可能性も存在し、検査漏れとなる。このため、送信元IPアドレスの制約をなくすことで、検査漏れを減らすことができるが、検査対象が膨大になり処理性能に影響を及ぼす。
上記した第2の実施形態の判定装置10aでは、入出力のURLに着目して検査対象を絞り込むことをしていたが、Blind command injectionやCommand execution via File Uploadは入出力でURLは変化しないため、第2の実施形態の判定装置10aでは対応できない。しかし、これらの攻撃手法はファイルを介するため、作成されるファイル名とリクエストのURLを比較することで検査対象を絞りこむことが可能である。この場合の判定装置10を、第3の実施形態の判定装置10bとして説明する。前述した実施形態と同じ構成については同じ符号を付して説明を省略する。
なお、各実施形態で述べた判定装置10、10a、10bにおける攻撃検知部121は、判定装置10の外部に設置されていてもよい。例えば、図18(a)、(b)に示すように、判定装置10、10a、10bの外部に設置されるWAF等の攻撃検知機器により実現されてもよい。また、判定装置10、10a、10bは、図18(a)に示すように、攻撃の成否の判定対象となるwebサーバと直接接続する構成(インライン構成)としてもよいし、図18(b)に示すように、webサーバとWAF等の攻撃検知機器経由で接続する構成(タップ構成)としてもよい。
また、図示した各装置の各構成要素は機能概念的なものであり、必ずしも物理的に図示の如く構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部または一部を、各種の負荷や使用状況などに応じて、任意の単位で機能的または物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部または任意の一部が、CPUおよび当該CPUにて解析実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。
また、上記の実施形態で述べた判定装置10の機能を実現するプログラムを所望の情報処理装置(コンピュータ)にインストールすることによって実装できる。例えば、パッケージソフトウェアやオンラインソフトウェアとして提供される上記のプログラムを情報処理装置に実行させることにより、情報処理装置を判定装置10として機能させることができる。ここで言う情報処理装置には、デスクトップ型またはノート型のパーソナルコンピュータが含まれる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistants)等がその範疇に含まれる。また、判定装置10を、クラウドサーバに実装してもよい。
11 記憶部
111 攻撃タイプ別キーワードリスト
112 特徴候補DB
113 リクエスト・レスポンスDB
114 特徴DB
115 入出力URLルールテーブル
116 ファイル名ルールテーブル
121 攻撃検知部
122 攻撃タイプ判定部
123 攻撃コード解析部
124 特徴選定部
125 成否判定部
126 入出力URLルール作成部
127 ファイル名ルール作成部
Claims (7)
- 攻撃コードによるサーバへの攻撃が成功したか否かを判定する判定方法であって、
前記サーバへの攻撃リクエストに含まれる攻撃コードの攻撃タイプを判定する攻撃タイプ判定ステップと、
前記判定された攻撃タイプに応じ、前記サーバへの前記攻撃コードによる攻撃のエミュレーションを実施し、前記エミュレーションの結果、前記サーバへの攻撃に成功した場合に前記サーバからのレスポンスに現れる特徴を抽出する特徴抽出ステップと、
前記攻撃リクエスト以降の前記サーバへの複数のリクエストにそれぞれ対応する複数のレスポンスが、前記抽出した特徴を有するかそれぞれ検査し、前記複数のレスポンスのうち少なくともいずれか一つが、前記抽出した特徴を有する場合、前記攻撃コードによる攻撃が成功したと判定する成否判定ステップと
を含んだことを特徴とする判定方法。 - 前記成否判定ステップは、前記攻撃リクエストから所定時間以内に前記サーバへ送信された複数のリクエストにそれぞれ対応する複数のレスポンスが、前記抽出した特徴を有するかそれぞれ検査し、前記複数のレスポンスのうち少なくともいずれか一つが、前記抽出した特徴を有する場合、前記攻撃コードによる攻撃が成功したと判定することを特徴とする請求項1に記載の判定方法。
- 前記成否判定ステップは、前記攻撃リクエスト以降の前記サーバへのリクエストであって、且つ、前記攻撃リクエストと送信元IPアドレスが同じ複数のリクエストにそれぞれ対応する複数のレスポンスが、前記抽出した特徴を有するかそれぞれ検査し、前記複数のレスポンスのうち少なくともいずれか一つが、前記抽出した特徴を有する場合、前記攻撃コードによる攻撃が成功したと判定することを特徴とする請求項1に記載の判定方法。
- 過去のリクエストとレスポンスから、所定のキーワードが含まれるリクエストのURLパス部分を入力URLとし、所定のキーワードを含まれるレスポンスに対応するリクエストのURLパス部分を出力URLとし、該入力URLおよび出力URLの組を、検査対象のリクエストを検索するための入出力URLルールとして作成する入出力URLルール作成ステップをさらに含み、
前記成否判定ステップは、前記攻撃リクエストのURLパス部分が前記入出力URLルールの入力URLと一致する場合に、前記攻撃リクエスト以降の前記サーバへのリクエストのうち、該入力URLに対応する出力URLに一致するリクエストに対応するレスポンスが、前記抽出した特徴を有するか検査し、前記抽出した特徴を有する場合、前記攻撃コードによる攻撃が成功したと判定することを特徴とする請求項1に記載の判定方法。 - 前記攻撃コードから作成されたファイル名を抽出し、該抽出したファイル名を、検査対象のリクエストを検索するためのファイル名ルールとして作成するファイル名ルール作成ステップをさらに含み、
前記成否判定ステップは、前記攻撃リクエスト以降の前記サーバへのリクエストのうち、前記ファイル名ルールのファイル名が含まれるリクエストに対応するレスポンスが、前記抽出した特徴を有するか検査し、前記抽出した特徴を有する場合、前記攻撃コードによる攻撃が成功したと判定することを特徴とする請求項1に記載の判定方法。 - 攻撃コードによるサーバへの攻撃が成功したか否かを判定する判定装置であって、
前記サーバへの攻撃リクエストに含まれる攻撃コードの攻撃タイプを判定する攻撃タイプ判定部と、
前記判定された攻撃タイプに応じ、前記サーバへの前記攻撃コードによる攻撃のエミュレーションを実施し、前記エミュレーションの結果、前記サーバへの攻撃に成功した場合に前記サーバからのレスポンスに現れる特徴を抽出する特徴抽出部と、
前記攻撃リクエスト以降の前記サーバへの複数のリクエストにそれぞれ対応する複数のレスポンスが、前記抽出した特徴を有するかそれぞれ検査し、前記複数のレスポンスのうち少なくともいずれか一つが、前記抽出した特徴を有する場合、前記攻撃コードによる攻撃が成功したと判定する成否判定部と
を備えたことを特徴とする判定装置。 - 攻撃コードによるサーバへの攻撃が成功したか否かを判定する判定プログラムであって、
前記サーバへの攻撃リクエストに含まれる攻撃コードの攻撃タイプを判定する攻撃タイプ判定ステップと、
前記判定された攻撃タイプに応じ、前記サーバへの前記攻撃コードによる攻撃のエミュレーションを実施し、前記エミュレーションの結果、前記サーバへの攻撃に成功した場合に前記サーバからのレスポンスに現れる特徴を抽出する特徴抽出ステップと、
前記攻撃リクエスト以降の前記サーバへの複数のリクエストにそれぞれ対応する複数のレスポンスが、前記抽出した特徴を有するかそれぞれ検査し、前記複数のレスポンスのうち少なくともいずれか一つが、前記抽出した特徴を有する場合、前記攻撃コードによる攻撃が成功したと判定する成否判定ステップと
をコンピュータに実行させることを特徴とする判定プログラム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/056,904 US11805149B2 (en) | 2018-05-21 | 2019-04-15 | Determination method, determination device and recording medium |
JP2020521094A JP7092192B2 (ja) | 2018-05-21 | 2019-04-15 | 判定方法、判定装置および判定プログラム |
EP19807703.4A EP3783846B1 (en) | 2018-05-21 | 2019-04-15 | Determination method, determination device and determination program |
AU2019273974A AU2019273974B2 (en) | 2018-05-21 | 2019-04-15 | Determination method, determination device and determination program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2018097418 | 2018-05-21 | ||
JP2018-097418 | 2018-05-21 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019225216A1 true WO2019225216A1 (ja) | 2019-11-28 |
Family
ID=68616393
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2019/016222 WO2019225216A1 (ja) | 2018-05-21 | 2019-04-15 | 判定方法、判定装置および判定プログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US11805149B2 (ja) |
EP (1) | EP3783846B1 (ja) |
JP (1) | JP7092192B2 (ja) |
AU (1) | AU2019273974B2 (ja) |
WO (1) | WO2019225216A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021149119A1 (ja) * | 2020-01-20 | 2021-07-29 | 日本電信電話株式会社 | 推定システム及び推定プログラム |
WO2022264239A1 (ja) * | 2021-06-14 | 2022-12-22 | 日本電信電話株式会社 | アラート検証装置、アラート検証方法及びアラート検証プログラム |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020246011A1 (ja) * | 2019-06-06 | 2020-12-10 | 日本電気株式会社 | ルール生成装置、ルール生成方法、及びコンピュータ読み取り可能な記録媒体 |
CN114389863B (zh) * | 2021-12-28 | 2024-02-13 | 绿盟科技集团股份有限公司 | 一种蜜罐交互的方法、装置、蜜罐网络、设备及存储介质 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2017130911A (ja) * | 2016-01-18 | 2017-07-27 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | 評価装置、評価システム及び評価方法 |
JP2018022419A (ja) * | 2016-08-05 | 2018-02-08 | シャープ株式会社 | 画像形成装置、攻撃耐性評価プログラムおよび攻撃耐性評価システム |
Family Cites Families (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8615800B2 (en) * | 2006-07-10 | 2013-12-24 | Websense, Inc. | System and method for analyzing web content |
US9654495B2 (en) * | 2006-12-01 | 2017-05-16 | Websense, Llc | System and method of analyzing web addresses |
KR20080065084A (ko) * | 2007-01-08 | 2008-07-11 | 유디코스모 주식회사 | 모의 공격을 이용한 네트워크 취약점 분석 방법 및 장치 |
US8504504B2 (en) * | 2008-09-26 | 2013-08-06 | Oracle America, Inc. | System and method for distributed denial of service identification and prevention |
US8069471B2 (en) * | 2008-10-21 | 2011-11-29 | Lockheed Martin Corporation | Internet security dynamics assessment system, program product, and related methods |
US8935773B2 (en) * | 2009-04-09 | 2015-01-13 | George Mason Research Foundation, Inc. | Malware detector |
JP6106340B2 (ja) * | 2014-06-06 | 2017-03-29 | 日本電信電話株式会社 | ログ分析装置、攻撃検知装置、攻撃検知方法およびプログラム |
JP6114480B2 (ja) * | 2014-08-11 | 2017-04-12 | 日本電信電話株式会社 | 構築装置、構築方法、および、構築プログラム |
US9787695B2 (en) * | 2015-03-24 | 2017-10-10 | Qualcomm Incorporated | Methods and systems for identifying malware through differences in cloud vs. client behavior |
US10609079B2 (en) * | 2015-10-28 | 2020-03-31 | Qomplx, Inc. | Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management |
US10243971B2 (en) * | 2016-03-25 | 2019-03-26 | Arbor Networks, Inc. | System and method for retrospective network traffic analysis |
US10257214B2 (en) * | 2016-06-23 | 2019-04-09 | Cisco Technology, Inc. | Using a machine learning classifier to assign a data retention priority for network forensics and retrospective detection |
RU2634211C1 (ru) * | 2016-07-06 | 2017-10-24 | Общество с ограниченной ответственностью "Траст" | Способ и система анализа протоколов взаимодействия вредоносных программ с центрами управления и выявления компьютерных атак |
US11271955B2 (en) * | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
GB2574209B (en) * | 2018-05-30 | 2020-12-16 | F Secure Corp | Controlling Threats on a Computer System by Searching for Matching Events on other Endpoints |
US11050793B2 (en) * | 2018-12-19 | 2021-06-29 | Abnormal Security Corporation | Retrospective learning of communication patterns by machine learning models for discovering abnormal behavior |
US11681804B2 (en) * | 2020-03-09 | 2023-06-20 | Commvault Systems, Inc. | System and method for automatic generation of malware detection traps |
CN112019575B (zh) * | 2020-10-22 | 2021-01-29 | 腾讯科技(深圳)有限公司 | 数据包处理方法、装置、计算机设备以及存储介质 |
-
2019
- 2019-04-15 JP JP2020521094A patent/JP7092192B2/ja active Active
- 2019-04-15 AU AU2019273974A patent/AU2019273974B2/en active Active
- 2019-04-15 US US17/056,904 patent/US11805149B2/en active Active
- 2019-04-15 EP EP19807703.4A patent/EP3783846B1/en active Active
- 2019-04-15 WO PCT/JP2019/016222 patent/WO2019225216A1/ja unknown
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2017130911A (ja) * | 2016-01-18 | 2017-07-27 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | 評価装置、評価システム及び評価方法 |
JP2018022419A (ja) * | 2016-08-05 | 2018-02-08 | シャープ株式会社 | 画像形成装置、攻撃耐性評価プログラムおよび攻撃耐性評価システム |
Non-Patent Citations (1)
Title |
---|
YANG ZHONGKAZUFUMI AOKIJUN MIYOSHIHAJIME SHIMADAHIROKI TAKAKURA: "AVT Lite: Detection Successful Web Attacks Based-on Attack Code Emulation", PROCEEDINGS OF THE COMPUTER SECURITY SYMPOSIUM 2017, 2017 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021149119A1 (ja) * | 2020-01-20 | 2021-07-29 | 日本電信電話株式会社 | 推定システム及び推定プログラム |
WO2022264239A1 (ja) * | 2021-06-14 | 2022-12-22 | 日本電信電話株式会社 | アラート検証装置、アラート検証方法及びアラート検証プログラム |
Also Published As
Publication number | Publication date |
---|---|
JPWO2019225216A1 (ja) | 2020-12-10 |
EP3783846A1 (en) | 2021-02-24 |
JP7092192B2 (ja) | 2022-06-28 |
AU2019273974A1 (en) | 2020-12-10 |
US11805149B2 (en) | 2023-10-31 |
US20210306374A1 (en) | 2021-09-30 |
EP3783846A4 (en) | 2022-01-12 |
AU2019273974B2 (en) | 2022-03-17 |
EP3783846B1 (en) | 2022-06-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2019225216A1 (ja) | 判定方法、判定装置および判定プログラム | |
US9083729B1 (en) | Systems and methods for determining that uniform resource locators are malicious | |
RU2637477C1 (ru) | Система и способ обнаружения фишинговых веб-страниц | |
US20160070911A1 (en) | Rapid malware inspection of mobile applications | |
JP6708794B2 (ja) | 判定装置、判定方法、および、判定プログラム | |
US11544384B2 (en) | Applying machine learning techniques to discover security impacts of application programming interfaces | |
JP6687761B2 (ja) | 結合装置、結合方法および結合プログラム | |
JP6557334B2 (ja) | アクセス分類装置、アクセス分類方法、及びアクセス分類プログラム | |
US11005877B2 (en) | Persistent cross-site scripting vulnerability detection | |
JP6450022B2 (ja) | 解析装置、解析方法、および、解析プログラム | |
Leithner et al. | Hydra: Feedback-driven black-box exploitation of injection vulnerabilities | |
JP6867552B2 (ja) | 判定方法、判定装置および判定プログラム | |
US9219742B2 (en) | Transforming user-input data in scripting language | |
US9398041B2 (en) | Identifying stored vulnerabilities in a web service | |
CN114626061A (zh) | 网页木马检测的方法、装置、电子设备及介质 | |
US20240250964A1 (en) | Alert verification device, alert verification method, and alert verification program | |
JP7424393B2 (ja) | 推定システム、推定方法及び推定プログラム | |
US11741223B2 (en) | Validation of network host in email | |
WO2022249416A1 (ja) | 分析装置、分析方法、および、分析システム | |
CN115225291A (zh) | 网页访问安全性检测方法、装置和存储介质 | |
Karademir | Detecting PDF JavaScript malware using clone detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19807703 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2020521094 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2019807703 Country of ref document: EP Effective date: 20201118 |
|
ENP | Entry into the national phase |
Ref document number: 2019273974 Country of ref document: AU Date of ref document: 20190415 Kind code of ref document: A |